From c203b12c8025d0b66c94cc1bf657f73fd12f6975 Mon Sep 17 00:00:00 2001 From: Jeremy Rickard Date: Wed, 18 Jul 2018 09:56:00 -0600 Subject: [PATCH 1/7] Adds ability to filter by [Cluster]ServicePlan.spec.free Closes: #2209 --- pkg/apis/servicecatalog/types.go | 1 + pkg/apis/servicecatalog/v1beta1/filter.go | 4 ++++ pkg/apis/servicecatalog/v1beta1/filter_test.go | 6 ++++-- pkg/apis/servicecatalog/v1beta1/types.go | 11 +++++++---- pkg/controller/controller_test.go | 9 +++++++++ pkg/openapi/openapi_generated.go | 2 +- 6 files changed, 26 insertions(+), 7 deletions(-) diff --git a/pkg/apis/servicecatalog/types.go b/pkg/apis/servicecatalog/types.go index 42c93537ff8..990b9f89a89 100644 --- a/pkg/apis/servicecatalog/types.go +++ b/pkg/apis/servicecatalog/types.go @@ -150,6 +150,7 @@ type CommonServiceBrokerSpec struct { // name - the value set to [Cluster]ServicePlan.Name // spec.externalName - the value set to [Cluster]ServicePlan.Spec.ExternalName // spec.externalID - the value set to [Cluster]ServicePlan.Spec.ExternalID +// spec.free - the value set to [Cluster]ServicePlan.Spec.Free // spec.serviceClassName - the value set to ServicePlan.Spec.ServiceClassRef.Name // spec.clusterServiceClass.name - the value set to ClusterServicePlan.Spec.ClusterServiceClassRef.Name type CatalogRestrictions struct { diff --git a/pkg/apis/servicecatalog/v1beta1/filter.go b/pkg/apis/servicecatalog/v1beta1/filter.go index bdbec158e32..16aa52bba18 100644 --- a/pkg/apis/servicecatalog/v1beta1/filter.go +++ b/pkg/apis/servicecatalog/v1beta1/filter.go @@ -17,6 +17,8 @@ limitations under the License. package v1beta1 import ( + "strconv" + "github.com/kubernetes-incubator/service-catalog/pkg/filter" "k8s.io/apimachinery/pkg/labels" ) @@ -50,6 +52,7 @@ func ConvertServicePlanToProperties(servicePlan *ServicePlan) filter.Properties FilterSpecExternalName: servicePlan.Spec.ExternalName, FilterSpecExternalID: servicePlan.Spec.ExternalID, FilterSpecServiceClassName: servicePlan.Spec.ServiceClassRef.Name, + FilterSpecFree: strconv.FormatBool(servicePlan.Spec.Free), } } @@ -79,5 +82,6 @@ func ConvertClusterServicePlanToProperties(servicePlan *ClusterServicePlan) filt FilterSpecExternalName: servicePlan.Spec.ExternalName, FilterSpecExternalID: servicePlan.Spec.ExternalID, FilterSpecClusterServiceClassName: servicePlan.Spec.ClusterServiceClassRef.Name, + FilterSpecFree: strconv.FormatBool(servicePlan.Spec.Free), } } diff --git a/pkg/apis/servicecatalog/v1beta1/filter_test.go b/pkg/apis/servicecatalog/v1beta1/filter_test.go index 0aea3ad916d..4fffab767f4 100644 --- a/pkg/apis/servicecatalog/v1beta1/filter_test.go +++ b/pkg/apis/servicecatalog/v1beta1/filter_test.go @@ -83,13 +83,14 @@ func TestConvertServicePlanToProperties(t *testing.T) { CommonServicePlanSpec: CommonServicePlanSpec{ ExternalName: "external-plan-name", ExternalID: "external-id", + Free: true, }, ServiceClassRef: LocalObjectReference{ Name: "service-class-name", }, }, }, - json: `{"name":"service-plan","spec.externalID":"external-id","spec.externalName":"external-plan-name","spec.serviceClass.name":"service-class-name"}`, + json: `{"name":"service-plan","spec.externalID":"external-id","spec.externalName":"external-plan-name","spec.free":"true","spec.serviceClass.name":"service-class-name"}`, }, } for _, tc := range cases { @@ -170,13 +171,14 @@ func TestConvertClusterServicePlanToProperties(t *testing.T) { CommonServicePlanSpec: CommonServicePlanSpec{ ExternalName: "external-plan-name", ExternalID: "external-id", + Free: true, }, ClusterServiceClassRef: ClusterObjectReference{ Name: "cluster-service-class-name", }, }, }, - json: `{"name":"service-plan","spec.clusterServiceClass.name":"cluster-service-class-name","spec.externalID":"external-id","spec.externalName":"external-plan-name"}`, + json: `{"name":"service-plan","spec.clusterServiceClass.name":"cluster-service-class-name","spec.externalID":"external-id","spec.externalName":"external-plan-name","spec.free":"true"}`, }, } for _, tc := range cases { diff --git a/pkg/apis/servicecatalog/v1beta1/types.go b/pkg/apis/servicecatalog/v1beta1/types.go index e92bee01287..9987842a0d1 100644 --- a/pkg/apis/servicecatalog/v1beta1/types.go +++ b/pkg/apis/servicecatalog/v1beta1/types.go @@ -136,13 +136,13 @@ type CommonServiceBrokerSpec struct { // This is an example of a whitelist on service externalName. // Goal: Only list Services with the externalName of FooService and BarService, // Solution: restrictions := ServiceCatalogRestrictions{ -// ServiceClass: ["externalName in (FooService, BarService)"] +// ServiceClass: ["spec.externalName in (FooService, BarService)"] // } // // This is an example of a blacklist on service externalName. // Goal: Allow all services except the ones with the externalName of FooService and BarService, // Solution: restrictions := ServiceCatalogRestrictions{ -// ServiceClass: ["externalName notin (FooService, BarService)"] +// ServiceClass: ["spec.externalName notin (FooService, BarService)"] // } // // This whitelists plans called "Demo", and blacklists (but only a single element in @@ -150,7 +150,7 @@ type CommonServiceBrokerSpec struct { // Goal: Allow all plans with the externalName demo, but not AABBCC, and not a specific service by name, // Solution: restrictions := ServiceCatalogRestrictions{ // ServiceClass: ["name!=AABBB-CCDD-EEGG-HIJK"] -// ServicePlan: ["externalName in (Demo)", "name!=AABBCC"] +// ServicePlan: ["spec.externalName in (Demo)", "name!=AABBCC"] // } // // CatalogRestrictions strings have a special format similar to Label Selectors, @@ -171,8 +171,9 @@ type CommonServiceBrokerSpec struct { // name - the value set to [Cluster]ServicePlan.Name // spec.externalName - the value set to [Cluster]ServicePlan.Spec.ExternalName // spec.externalID - the value set to [Cluster]ServicePlan.Spec.ExternalID +// spec.free - the value set to [Cluster]ServicePlan.Spec.Free // spec.serviceClass.name - the value set to ServicePlan.Spec.ServiceClassRef.Name -// spec.clusterServiceClass.name - the vlaue set to ClusterServicePlan.Spec.ClusterServiceClassRef.Name +// spec.clusterServiceClass.name - the value set to ClusterServicePlan.Spec.ClusterServiceClassRef.Name type CatalogRestrictions struct { // ServiceClass represents a selector for plans, used to filter catalog re-lists. ServiceClass []string `json:"serviceClass,omitempty"` @@ -1372,6 +1373,8 @@ const ( FilterSpecClusterServiceClassName = "spec.clusterServiceClass.name" // SpecServiceClassName is only used for plans, the parent service class name. FilterSpecServiceClassName = "spec.serviceClass.name" + // FilterSpecFree is only used for plans, determines if the plan is free. + FilterSpecFree = "spec.free" ) // SecretTransform is a single transformation that is applied to the diff --git a/pkg/controller/controller_test.go b/pkg/controller/controller_test.go index ea38ab3430b..22fbfab8859 100644 --- a/pkg/controller/controller_test.go +++ b/pkg/controller/controller_test.go @@ -1588,6 +1588,15 @@ func TestConvertAndFilterCatalog(t *testing.T) { plans: []string{"Goldengrove", "Queensgate"}, catalog: largeTestCatalog, }, + { + name: "filter free plans", + restrictions: &v1beta1.CatalogRestrictions{ + ServicePlan: []string{"spec.free==true"}, + }, + classes: []string{"Arrax", "Balerion"}, + plans: []string{"Eastwatch-by-the-Sea", "OldOak", "Queensgate"}, + catalog: largeTestCatalog, + }, } for _, tc := range cases { t.Run(tc.name, func(t *testing.T) { diff --git a/pkg/openapi/openapi_generated.go b/pkg/openapi/openapi_generated.go index d0c7d38aee3..e031defd65b 100644 --- a/pkg/openapi/openapi_generated.go +++ b/pkg/openapi/openapi_generated.go @@ -441,7 +441,7 @@ func schema_pkg_apis_servicecatalog_v1beta1_CatalogRestrictions(ref common.Refer return common.OpenAPIDefinition{ Schema: spec.Schema{ SchemaProps: spec.SchemaProps{ - Description: "CatalogRestrictions is a set of restrictions on which of a broker's services and plans have resources created for them.\n\nSome examples of this object are as follows:\n\nThis is an example of a whitelist on service externalName. Goal: Only list Services with the externalName of FooService and BarService, Solution: restrictions := ServiceCatalogRestrictions{\n\t\tServiceClass: [\"externalName in (FooService, BarService)\"]\n}\n\nThis is an example of a blacklist on service externalName. Goal: Allow all services except the ones with the externalName of FooService and BarService, Solution: restrictions := ServiceCatalogRestrictions{\n\t\tServiceClass: [\"externalName notin (FooService, BarService)\"]\n}\n\nThis whitelists plans called \"Demo\", and blacklists (but only a single element in the list) a service and a plan. Goal: Allow all plans with the externalName demo, but not AABBCC, and not a specific service by name, Solution: restrictions := ServiceCatalogRestrictions{\n\t\tServiceClass: [\"name!=AABBB-CCDD-EEGG-HIJK\"]\n\t\tServicePlan: [\"externalName in (Demo)\", \"name!=AABBCC\"]\n}\n\nCatalogRestrictions strings have a special format similar to Label Selectors, except the catalog supports only a very specific property set.\n\nThe predicate format is expected to be `` Check the *Requirements type definition for which strings will be allowed. is allowed to be one of the following: ==, !=, in, notin will be a string value if `==` or `!=` are used. will be a set of string values if `in` or `notin` are used. Multiple predicates are allowed to be chained with a comma (,)\n\nServiceClass allowed property names:\n name - the value set to [Cluster]ServiceClass.Name\n spec.externalName - the value set to [Cluster]ServiceClass.Spec.ExternalName\n spec.externalID - the value set to [Cluster]ServiceClass.Spec.ExternalID\nServicePlan allowed property names:\n name - the value set to [Cluster]ServicePlan.Name\n spec.externalName - the value set to [Cluster]ServicePlan.Spec.ExternalName\n spec.externalID - the value set to [Cluster]ServicePlan.Spec.ExternalID\n spec.serviceClass.name - the value set to ServicePlan.Spec.ServiceClassRef.Name\n spec.clusterServiceClass.name - the vlaue set to ClusterServicePlan.Spec.ClusterServiceClassRef.Name", + Description: "CatalogRestrictions is a set of restrictions on which of a broker's services and plans have resources created for them.\n\nSome examples of this object are as follows:\n\nThis is an example of a whitelist on service externalName. Goal: Only list Services with the externalName of FooService and BarService, Solution: restrictions := ServiceCatalogRestrictions{\n\t\tServiceClass: [\"spec.externalName in (FooService, BarService)\"]\n}\n\nThis is an example of a blacklist on service externalName. Goal: Allow all services except the ones with the externalName of FooService and BarService, Solution: restrictions := ServiceCatalogRestrictions{\n\t\tServiceClass: [\"spec.externalName notin (FooService, BarService)\"]\n}\n\nThis whitelists plans called \"Demo\", and blacklists (but only a single element in the list) a service and a plan. Goal: Allow all plans with the externalName demo, but not AABBCC, and not a specific service by name, Solution: restrictions := ServiceCatalogRestrictions{\n\t\tServiceClass: [\"name!=AABBB-CCDD-EEGG-HIJK\"]\n\t\tServicePlan: [\"spec.externalName in (Demo)\", \"name!=AABBCC\"]\n}\n\nCatalogRestrictions strings have a special format similar to Label Selectors, except the catalog supports only a very specific property set.\n\nThe predicate format is expected to be `` Check the *Requirements type definition for which strings will be allowed. is allowed to be one of the following: ==, !=, in, notin will be a string value if `==` or `!=` are used. will be a set of string values if `in` or `notin` are used. Multiple predicates are allowed to be chained with a comma (,)\n\nServiceClass allowed property names:\n name - the value set to [Cluster]ServiceClass.Name\n spec.externalName - the value set to [Cluster]ServiceClass.Spec.ExternalName\n spec.externalID - the value set to [Cluster]ServiceClass.Spec.ExternalID\nServicePlan allowed property names:\n name - the value set to [Cluster]ServicePlan.Name\n spec.externalName - the value set to [Cluster]ServicePlan.Spec.ExternalName\n spec.externalID - the value set to [Cluster]ServicePlan.Spec.ExternalID\n spec.free - the value set to [Cluster]ServicePlan.Spec.Free\n spec.serviceClass.name - the value set to ServicePlan.Spec.ServiceClassRef.Name\n spec.clusterServiceClass.name - the value set to ClusterServicePlan.Spec.ClusterServiceClassRef.Name", Properties: map[string]spec.Schema{ "serviceClass": { SchemaProps: spec.SchemaProps{ From 1ec55e2e3000d43e94760ced656a38e43a5016b7 Mon Sep 17 00:00:00 2001 From: Jeremy Rickard Date: Wed, 18 Jul 2018 12:05:19 -0600 Subject: [PATCH 2/7] Adding catalog restriction docs --- docs/catalog-restrictions.md | 194 +++++++++++++++++++++++++ docsite/_config.yml | 1 + docsite/_data/catalog-restrictions.yml | 11 ++ 3 files changed, 206 insertions(+) create mode 100644 docs/catalog-restrictions.md create mode 100644 docsite/_data/catalog-restrictions.yml diff --git a/docs/catalog-restrictions.md b/docs/catalog-restrictions.md new file mode 100644 index 00000000000..db2f42c4f2a --- /dev/null +++ b/docs/catalog-restrictions.md @@ -0,0 +1,194 @@ +--- +title: Filtering Broker Catalogs +layout: docwithnav +--- + +# Catalog Restrictions + +Services provided by service brokers are represented in Kubernetes by two +different [resources](resources.md), service classes and service plans. When a +`ClusterServiceBroker` or `ServiceBroker` resource is created, the Service +Catalog will query the Service Broker for the list of available Services. +Service Catalog will then create `ClusterServiceClass` or `ServiceClass` +resources to represent the service classes and `ClusterServicePlan` or +`ServicePlan` resources to represent service plans. By default, Service Catalog +will create a `ClusterServiceClass` or `ServiceClass` for each service class +and a `ClusterServicePlan` or `ServicePlan` for each service plan +provided by the service broker. When creating a `ClusterServiceBroker` or +`ServiceBroker` resource, you can change this behavior by specifying one or +more catalog restrictions. Catalog restrictions act in a manner similar to +Kubernetes label selectors to enable you to control how service classes and +service plans should be exposed from the service brokers. + +## Using Catalog Restrictions + +Catalog restrictions are specified in `ClusterServiceBroker` or `ServiceBroker` + resources. A sample YAML might look like: + +```yaml +apiVersion: servicecatalog.k8s.io/v1beta1 +kind: ClusterServiceBroker +metadata: + name: sample-broker +spec: + authInfo: + basic: + secretRef: + name: sample-broker-auth + namespace: brokers + catalogRestrictions: + servicePlan: + - "spec.externalName==basic" + url: http://sample-broker.brokers.svc.cluster.local +``` + +In this example, a catalog restriction has been defined that specifies that +only service plans that have an external name of basic should be selected. +Catalog restrictions are defined as a set of one or more rules that target +either service classes and service plans. These rules have a special format + similar to Kubernetes label selectors. + +The rule format is expected to be `` + +* is allowed to be one of the following: ==, !=, in, notin +* will be a string value if `==` or `!=` are used. +* will be a set of string values if `in` or `notin` are used. + + +Catalog restrictions, while similar to label selectors, only operate on a +subset of properties on service class and service plan resources. The following + sections detail what properties can be used to define catalog restrictions for + each resource type. + +`ClusterServiceClass` allowed property names: + +| Property Name | Description | +| name | the value set to ClusterServiceClass.Name | +| spec.externalName | the value set to ClusterServiceClass.Spec.ExternalName | +| spec.externalID | the value set to ClusterServiceClass.Spec.ExternalID | + +`ServiceClass` allowed property names: + +| Property Name | Description | +| name | the value set to ServiceClass.Name | +| spec.externalName | the value set to ServiceClass.Spec.ExternalName | +| spec.externalID | the value set to ServiceClass.Spec.ExternalID | + +`ClusterServicePlan` allowed property names: + +| Property Name | Description | +| name | the value set to ClusterServicePlan.Name | +| spec.externalName | the value set to ClusterServicePlan.Spec.ExternalName | +| spec.externalID | the value set to ClusterServicePlan.Spec.ExternalID | +| spec.free | the value set to ClusterServicePlan.Spec.Free | +| spec.clusterServiceClass.name | the value set to ClusterServicePlan.Spec.ClusterServiceClassRef.Name | + +`ServicePlan` allowed property names: + +| Property Name | Description | +| name | the value set to ServicePlan.Name | +| spec.externalName | the value set to ServicePlan.Spec.ExternalName | +| spec.externalID | the value set to ServicePlan.Spec.ExternalID | +| spec.free | the value set to ServicePlan.Spec.Free | +| spec.serviceClass.name | the value set to ServicePlan.Spec.ServiceClassRef.Name | + +## Examples + +The following examples show some possible ways to apply catalog restrictions. + +### Service Class externalName Whitelist + +This example creates a Service Class restriction on spec.externalName using the + `in` operator. In this case, only services that have the externalName + `FooService` or `BarService` will have Service Catalog resources created. + The YAML for this would look like: + +```yaml +apiVersion: servicecatalog.k8s.io/v1beta1 +kind: ClusterServiceBroker +metadata: + name: sample-broker +spec: + authInfo: + basic: + secretRef: + name: sample-broker-auth + namespace: brokers + catalogRestrictions: + serviceClass: + - "spec.externalName in (FooService, BarService)" + url: http://sample-broker.brokers.svc.cluster.local +``` + +### Service Class externalName Blacklist + + To allow all services, except those named `FooService` or `BarService`, + the `notin` operator can be used. The YAML for this would look like: + above. + +```yaml +apiVersion: servicecatalog.k8s.io/v1beta1 +kind: ClusterServiceBroker +metadata: + name: sample-broker +spec: + authInfo: + basic: + secretRef: + name: sample-broker-auth + namespace: brokers + catalogRestrictions: + serviceClass: + - "spec.externalName notin (FooService, BarService)" + url: http://sample-broker.brokers.svc.cluster.local +``` + +### Using Multiple Predicates + +As mentioned above, you can chain rules together. For example, +to restrict service plans to only those free plans with an externalName of +`Demo`, the YAML would look like: + +```yaml +apiVersion: servicecatalog.k8s.io/v1beta1 +kind: ClusterServiceBroker +metadata: + name: sample-broker +spec: + authInfo: + basic: + secretRef: + name: sample-broker-auth + namespace: brokers + catalogRestrictions: + servicePlan: + - "spec.externalName in (Demo)" + - "spec.free=true" + url: http://sample-broker.brokers.svc.cluster.local +``` + +### Combining Service Class and Service Plan Catalog Restrictions + +You can also combine restrictions on classes and plans. An example that +allow all free plans with the externalName `Demo`, and not a specific service + named `AABBB-CCDD-EEGG-HIJK`, you would create a YAML like: + +```yaml +apiVersion: servicecatalog.k8s.io/v1beta1 +kind: ClusterServiceBroker +metadata: + name: sample-broker +spec: + authInfo: + basic: + secretRef: + name: sample-broker-auth + namespace: brokers + catalogRestrictions: + serviceClass: + - "name!=AABBB-CCDD-EEGG-HIJK" + servicePlan: + - "spec.externalName in (Demo)" + - "spec.free=true" + url: http://sample-broker.brokers.svc.cluster.local +``` \ No newline at end of file diff --git a/docsite/_config.yml b/docsite/_config.yml index a818df2f777..0a4d820584b 100644 --- a/docsite/_config.yml +++ b/docsite/_config.yml @@ -58,4 +58,5 @@ tocs: - concepts - resources - namespaced-broker-resources + - catalog-restrictions - docs-home # fallthrough, leave this last diff --git a/docsite/_data/catalog-restrictions.yml b/docsite/_data/catalog-restrictions.yml new file mode 100644 index 00000000000..1a521c50d2d --- /dev/null +++ b/docsite/_data/catalog-restrictions.yml @@ -0,0 +1,11 @@ +bigheader: "Catalog Restrictions" +abstract: "Using Catalog Restrictions to control Service Class and Plan access." +landing_page: /docs/catalog-restrictions/ +toc: +- docs/catalog-restrictions.md +- title: Catalog Restrictions + path: /docs/catalog-restrictions/#catalog-restrictions +- title: Using Catalog Restrictions + path: /docs/catalog-restrictions/#using-catalog-restrictions +- title: Examples + path: /docs/catalog-restrictions/#examples From 3ff0dbd9f0847cfa561099814f6206c5c5e832f8 Mon Sep 17 00:00:00 2001 From: Jeremy Rickard Date: Wed, 18 Jul 2018 12:11:14 -0600 Subject: [PATCH 3/7] Fix html formatting --- docs/catalog-restrictions.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/catalog-restrictions.md b/docs/catalog-restrictions.md index db2f42c4f2a..4c8621b5baa 100644 --- a/docs/catalog-restrictions.md +++ b/docs/catalog-restrictions.md @@ -50,9 +50,9 @@ either service classes and service plans. These rules have a special format The rule format is expected to be `` -* is allowed to be one of the following: ==, !=, in, notin -* will be a string value if `==` or `!=` are used. -* will be a set of string values if `in` or `notin` are used. +* `` is allowed to be one of the following: ==, !=, in, notin +* `` will be a string value if `==` or `!=` are used. +* `` will be a set of string values if `in` or `notin` are used. Catalog restrictions, while similar to label selectors, only operate on a From 7e92cc134a1d599c361f861f3916563f16a4fa7c Mon Sep 17 00:00:00 2001 From: Jeremy Rickard Date: Wed, 18 Jul 2018 14:18:54 -0600 Subject: [PATCH 4/7] Review comments --- docs/catalog-restrictions.md | 52 ++++++++++++++++++------------------ 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/docs/catalog-restrictions.md b/docs/catalog-restrictions.md index 4c8621b5baa..534147abd62 100644 --- a/docs/catalog-restrictions.md +++ b/docs/catalog-restrictions.md @@ -50,10 +50,10 @@ either service classes and service plans. These rules have a special format The rule format is expected to be `` -* `` is allowed to be one of the following: ==, !=, in, notin -* `` will be a string value if `==` or `!=` are used. -* `` will be a set of string values if `in` or `notin` are used. - +* `` is one of the supported properties of a service class or service plan resource, described below +* `` is allowed to be one of the following: `==`, `!=`, `in`, `notin` +* `` will be a string value if `==` or `!=` are used, otherwise it will be a set of string values if `in` or `notin` are used +* `` is case sensitive Catalog restrictions, while similar to label selectors, only operate on a subset of properties on service class and service plan resources. The following @@ -62,41 +62,41 @@ subset of properties on service class and service plan resources. The following `ClusterServiceClass` allowed property names: -| Property Name | Description | -| name | the value set to ClusterServiceClass.Name | -| spec.externalName | the value set to ClusterServiceClass.Spec.ExternalName | -| spec.externalID | the value set to ClusterServiceClass.Spec.ExternalID | +| Property Key | Description | +| name | This key will match the ClusterServiceClass.Name property | +| spec.externalName | This key will match the ClusterServiceClass.Spec.ExternalName property | +| spec.externalID | This key will match the ClusterServiceClass.Spec.ExternalID property | `ServiceClass` allowed property names: -| Property Name | Description | -| name | the value set to ServiceClass.Name | -| spec.externalName | the value set to ServiceClass.Spec.ExternalName | -| spec.externalID | the value set to ServiceClass.Spec.ExternalID | +| Property Key | Description | +| name | This key will match the ServiceClass.Name | +| spec.externalName | This key will match the ServiceClass.Spec.ExternalName property | +| spec.externalID | This key will match the ServiceClass.Spec.ExternalID property | `ClusterServicePlan` allowed property names: -| Property Name | Description | -| name | the value set to ClusterServicePlan.Name | -| spec.externalName | the value set to ClusterServicePlan.Spec.ExternalName | -| spec.externalID | the value set to ClusterServicePlan.Spec.ExternalID | -| spec.free | the value set to ClusterServicePlan.Spec.Free | -| spec.clusterServiceClass.name | the value set to ClusterServicePlan.Spec.ClusterServiceClassRef.Name | +| Property Key | Description | +| name | This key will match the ClusterServicePlan.Name | +| spec.externalName | This key will match the ClusterServicePlan.Spec.ExternalName property | +| spec.externalID | This key will match the ClusterServicePlan.Spec.ExternalID property | +| spec.free | This key will match the ClusterServicePlan.Spec.Free property | +| spec.clusterServiceClass.name | This key will match the ClusterServicePlan.Spec.ClusterServiceClassRef.Name property | `ServicePlan` allowed property names: -| Property Name | Description | -| name | the value set to ServicePlan.Name | -| spec.externalName | the value set to ServicePlan.Spec.ExternalName | -| spec.externalID | the value set to ServicePlan.Spec.ExternalID | -| spec.free | the value set to ServicePlan.Spec.Free | -| spec.serviceClass.name | the value set to ServicePlan.Spec.ServiceClassRef.Name | +| Property Key | Description | +| name | This key will match the ServicePlan.Name property | +| spec.externalName | This key will match the ServicePlan.Spec.ExternalName property | +| spec.externalID | This key will match the ServicePlan.Spec.ExternalID property | +| spec.free | This key will match the ServicePlan.Spec.Free property | +| spec.serviceClass.name | This key will match the ServicePlan.Spec.ServiceClassRef.Name property | ## Examples The following examples show some possible ways to apply catalog restrictions. -### Service Class externalName Whitelist +### Allow Only Service Class Resources with Specific External Name This example creates a Service Class restriction on spec.externalName using the `in` operator. In this case, only services that have the externalName @@ -120,7 +120,7 @@ spec: url: http://sample-broker.brokers.svc.cluster.local ``` -### Service Class externalName Blacklist +### Allow All Service Class Resources Except Those with Specific External Name To allow all services, except those named `FooService` or `BarService`, the `notin` operator can be used. The YAML for this would look like: From 20092e535063d394b126e97e609938eab0244e2e Mon Sep 17 00:00:00 2001 From: Jeremy Rickard Date: Wed, 18 Jul 2018 14:20:11 -0600 Subject: [PATCH 5/7] Trying relative paths --- docsite/_data/catalog-restrictions.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docsite/_data/catalog-restrictions.yml b/docsite/_data/catalog-restrictions.yml index 1a521c50d2d..7f293a9e398 100644 --- a/docsite/_data/catalog-restrictions.yml +++ b/docsite/_data/catalog-restrictions.yml @@ -4,8 +4,8 @@ landing_page: /docs/catalog-restrictions/ toc: - docs/catalog-restrictions.md - title: Catalog Restrictions - path: /docs/catalog-restrictions/#catalog-restrictions + path: #catalog-restrictions - title: Using Catalog Restrictions - path: /docs/catalog-restrictions/#using-catalog-restrictions + path: #using-catalog-restrictions - title: Examples - path: /docs/catalog-restrictions/#examples + path: #examples From 455e6753bc35fe42dfc5da152b2dbf6d9234b65c Mon Sep 17 00:00:00 2001 From: Jeremy Rickard Date: Wed, 18 Jul 2018 15:10:51 -0600 Subject: [PATCH 6/7] Review comments from Jay --- docs/catalog-restrictions.md | 2 +- docsite/_data/catalog-restrictions.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/catalog-restrictions.md b/docs/catalog-restrictions.md index 534147abd62..9b4cecc5bd6 100644 --- a/docs/catalog-restrictions.md +++ b/docs/catalog-restrictions.md @@ -45,7 +45,7 @@ spec: In this example, a catalog restriction has been defined that specifies that only service plans that have an external name of basic should be selected. Catalog restrictions are defined as a set of one or more rules that target -either service classes and service plans. These rules have a special format + service classes and/or service plans. These rules have a special format similar to Kubernetes label selectors. The rule format is expected to be `` diff --git a/docsite/_data/catalog-restrictions.yml b/docsite/_data/catalog-restrictions.yml index 7f293a9e398..c0b57f8cd6a 100644 --- a/docsite/_data/catalog-restrictions.yml +++ b/docsite/_data/catalog-restrictions.yml @@ -4,8 +4,8 @@ landing_page: /docs/catalog-restrictions/ toc: - docs/catalog-restrictions.md - title: Catalog Restrictions - path: #catalog-restrictions + path: "#catalog-restrictions" - title: Using Catalog Restrictions - path: #using-catalog-restrictions + path: "#using-catalog-restrictions" - title: Examples - path: #examples + path: "#examples" From 79b7e9d0bde419871cd3029e215bcf2f2c9d7da8 Mon Sep 17 00:00:00 2001 From: Jeremy Rickard Date: Wed, 18 Jul 2018 18:55:45 -0600 Subject: [PATCH 7/7] linking to namespaced docs --- docs/README.md | 1 + docs/namespaced-broker-resources.md | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/README.md b/docs/README.md index d0fc50c99cd..4c3df43dba9 100644 --- a/docs/README.md +++ b/docs/README.md @@ -32,6 +32,7 @@ Afterward, see the topics below. ## Topics for operators: - [Using Namespaced Broker Resources](./namespaced-broker-resources.md) +- [Filtering Broker Catalogs](./catalog-restrictions.md) ## Request for Comments diff --git a/docs/namespaced-broker-resources.md b/docs/namespaced-broker-resources.md index f06294c63ad..69bfc91d499 100644 --- a/docs/namespaced-broker-resources.md +++ b/docs/namespaced-broker-resources.md @@ -68,7 +68,7 @@ Service Catalog's cluster-scoped resources for brokers, services, and plans are be used to prevent a user from creating a `ServiceInstance` using that `ClusterServiceClass` and `ClusterServicePlan`. Namespace-scoped brokers, services and plans, however, can be effectively combined with Kubernetes RBAC -and Service Catalog Catalog Restrictions in order to provide more granular +and Service Catalog [Catalog Restrictions](catalog-restrictions.md) in order to provide more granular control over service instance provisioning. ## Enabling Namespace Scoped Broker Resources @@ -212,7 +212,7 @@ The use of namespace-scoped resources enables you to register brokers within a given namespace and leverage RBAC in order to control who can provision services in that namespace. By default, all service classes and plans from that broker will be available to users of the namespace. When registering -a broker, catalog restrictions can be specified in order to restrict what plans +a broker, [catalog restrictions](catalog-restrictions.md) can be specified in order to restrict what plans are available within a given namespace. This allows you to specify that in the `developer` namespace, only plans named `basic` can be created. The YAML to accomplish this might look like: